Employer Beware: Spyware Comes to Mobile

The boom in mobile devices and the profusion of applications developed for them are creating new opportunities for cyber criminals to hack into and steal data from corporate networks.

Cyber security firms and the U.S. government warn of the dangers of sophisticated mobile app malware—viruses and other malicious code embedded in software applications—with one company reporting that even law-abiding app developers may be duped into unwittingly helping hackers.

“The bad guys are getting better at making their apps look legitimate,” said Bob Hansmann, senior product marketing manager at Websense Security Labs, during a webinar on the company’s 2013 security predictions.

Businesses and individuals need to be aware of the problem and adopt strategies and technology to prevent attacks, experts say. While anyone could be a target, malware can pose especially tricky challenges for companies with bring-your-own-device protocols, or BYOD, practices that allow employees to use personal smartphones and tablets for work.

Many people “are unaware that their mobile device can be compromised in the first place,” said Robert Siciliano, an online security expert with antivirus software firm McAfee, in an interview. Most mobile app viruses target devices operating on the widely used Android system, he noted.

“Criminals see the opportunity in mobile and they are gearing up and creating devices targeting mobile devices,” McAfee security expert Siciliano said. Malicious applications can spy on users, collect user names, passwords and credit card numbers, track websites visited, and see text messages sent and received, he noted.

“The best virus is stealthy, unobtrusive and works silently in the background,” Siciliano said.

Mobiles at Risk

In October 2012, the Federal Bureau of Investigation (FBI) warned that various malware was targeting Android-based devices, including one strain arriving as a work-at-home ad with a link to a website that infects smartphones and tablets with an information-stealing virus.

The FBI also warned about spyware called FinFisher that can control and monitor a device remotely. FinFisher “can be easily transmitted to a smartphone when the user visits a specific web link or opens a text message masquerading as a system update,” the FBI said.

ABI Research reported in September that “unique malware variants” grew by 2,180 percent, to 17,439, from the first quarter of 2011 to the second quarter of 2012.

“Games, social networking, productivity apps, financial tools are flocking to the mobile platform, and along with it, malware. Loss, theft, spam, Trojans, spyware, data breach, and aggressive advertising are some of the few threats facing vulnerable devices,” ABI stated in a release on its website.

The firm predicted the global market for mobile application security will be worth $398 million by the end of 2012, and calculated that there had been more than 130 billion downloads of mobile security apps already.

“With the increasing popularity of smartphones, mobile threats are on the rise. This has implications for security at the corporate level, as well as for individual privacy,” said Michela Menting, ABI Research senior cyber security analyst. “The mobile application security market is rife with vendors offering their wares. The priority now for end-users is understanding the issue at hand and finding the right offering that best suits their needs.”

Criminals are using SMiShing—a technique similar to phishing—to send text messages that look like they come from a legitimate source, like a phone carrier, Siciliano explained. The messages ask the user to click on links to “update” the device, which then gets infected with malware.

Antivirus software company Symantec noted recently on its blog that in November, phishing sites spoofed a popular social networking platform and asked for users’ financial data, purportedly to improve security. Users also were prompted to supply other personal information and e-mail passwords.

Websense Security Labs recommends that employers adopt advanced cyber-security planning and measures, as cybercriminals have found ways around various anti-virus software and intrusion-detection defenses.

Among its security predictions for 2013, Websense expects attacks to continue to exploit legitimate web platforms, including new content management systems. The company anticipates that more cross-platform threats will involve mobile devices, also, with emerging desktop and cloud technologies augmenting the growth. Websense anticipates a growing threat to Microsoft mobile devices and increasing cyberthreats to Android devices.

Gaming, social networking and Internet browsing are good platforms for mobile devices to be compromised, said Websense’s Hansmann. He noted new platforms that likely will make it easier for cybercriminals to infect different types of devices with one strain of malware.

Microsoft’s new Windows 8 operating system, for instance, was designed for PCs as well as mobile devices, which makes it easier for legitimate developers to design new apps for different types of machines, Hansmann noted. Cyber attackers, however, may enjoy that same ease, also, he said. Any threat written to Windows, Hansmann said, “is probably now going to be easily portable to mobile devices.”

Meanwhile, Siciliano recommends that mobile device users avoid downloading apps from untrusted sites and instead use iTunes for Apple equipment and Google Play for Android-based devices. Websense notes that many threats to mobile devices pose as apps in unofficial marketplaces, often appearing as a legit game typically available in an official marketplace.

The company cautioned users to be wary of apps that seek more permissions than should be needed, and noted that many users automatically accept permissions without reading or understanding them.

Even trusted app stores may not be completely safe, according to Websense, which predicts they’ll host more malware in 2013 as they are flooded with new apps that require testing and verification.

Shopping through nonsanctioned app stores will continue to pose significant risk, especially for companies that allow employees to use their own mobile devices for work, Websense predicts.

Locate, Lock, Wipe Policies

The company warns that some cybercriminals, in a move to insert malware into otherwise legitimate apps, are offering money to regular developers to add code, purportedly to gather valid marketing data. They don’t tell the developers that the apps are asking for certain permissions and doing more than they appear, Hansmann said.

Employers that allow employees to bring their own devices to work need to establish policies and take steps to protect their own networks, experts say. Companies should give workers limited access to information over those gadgets, for example, by not allowing them to receive attachments on their cell phones, Hansmann said. A company can handle BYOD “without exposing [itself] to excessive risk,” he said.

“BYOD is definitely a problem for companies, for the IT managers. They need to have an effective policy in place” about privacy and security procedures, Siciliano said. Companies can install an application on employees’ personal devices that gives the IT department the ability to “locate, lock and wipe” a lost or stolen laptop, tablet or mobile phone, he said.

“Lock, locate and wipe is fundamental to any bring-your-own-device” policy, Siciliano said. “Not having some level of control over that device … is irresponsible today” and can cost an organization a lot of money, he added.

Other steps companies and individuals can take to protect mobile devices include installing antivirus software and requiring a password to unlock a device, he said.

Mobile Device Best Practices

The FBI gave several tips for protecting mobile devices, including:

Obtain malware protection.

Protect the device with a passcode.

Avoid clicking on links or downloading software from unknown sources.

Use the same care on a mobile phone as on a computer when on the Internet.

Review and understand permissions you’re giving when you download applications.